Hi Mailing List, I would appreciate some help to get mail sending out of my routed DMZ to work.
What currently happens in my setup is that a DMZ machine can contact the mail server on the external internet via port 25. But the mail server's reply to the DMZ machine on high ports 4436 and 4437 are blocked in the input chain. To clarify I do NOT want to open port 25 to the outside. I read the docs and network.conf and tried to fix this by setting DMZ_HIGH_TCP_CONNECT to YES. This did not help. Below is an extract from ipchains -L --line-numbers -n for the high port range, IP addresses replaced with symbolic values from the script: Chain input (policy DENY): num target prot opt source destination ports 34 ACCEPT tcp ------ 0.0.0.0/0 EXTERN_IP * -> 1024:65535 I think the following was done by DMZ_HIGH_TCP_CONNECT=YES Chain forward (policy DENY): num target prot opt source destination ports 12 ACCEPT tcp ------ 0.0.0.0/0 DMZ_NET * -> 1024:65535 To be honest I don't understand this yet. If the mail server on the internet sends a packet to a high port on the DMZ machine (not the router address EXTERN_IP) then what is the purpose of opening EXTERN_IP? Should it not be DMZ_NET, the network of final recipient of the packet? I could understand that opening EXTERN_IP is required to allow packets to reach services that run on the router itself e.g. ssh. What part in network.conf or ipfilter.conf need to be configured to fix my problem? Here is my simple setup: There are only 2 networks. What makes things REALLY easy is that these small networks don't need to be hidden or address-translated. They are both physically and IP address-wise different networks with routable IP addresses in the public internet IP range. I think Charles Steinkuehler terms this "Routed DMZ" Here is the map: ~~~~~~~~~~~~~~~~~~~~~~ { ISP Network } { a0.b0.c0.d/26 } ~~~~~~~~~~~~~~~~~~~~~~ | Ethernet | | ----------------------- | eth0 EXTERN_IP | | LRP ROUTER | | eth1 | ----------------------- | Ethernet | | ~~~~~~~~~~~~~~~~~~~~~~ { DMZ Network } { a1.b1.c1.d1/29 } ~~~~~~~~~~~~~~~~~~~~~~ No address translation occurs; all addresses are real world IPs. The DMZ network is NOT a subnet of the ISP network. Many thanks! Bernard [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user